Security & Trust Lead (USA Only - 100% Remote)

<div><strong><strong>About the Role</strong></strong><br/><br/>We have 11k+ customers, which means we have a lot of data in our care. Earning and keeping their trust - rigorous security and privacy practices, plus the compliance and audit work that verifies it to customers - has so far been spread across engineering leadership, our founders, and our ops team. It's high time this had a real owner.<br/><br/>You'll be the first person at Close whose full-time job is protecting our customers' data and our company: GRC (security governance, risk, and compliance), internal security (identity, devices, access, vendors), incidents, and the customer-facing resources that prove we do this well. Your mandate is to build this like an engineer - automate the evidence, codify the processes, use AI aggressively. We recommend giving grc.engineering a read; this is the mentality we're hiring for.<br/><br/><strong><strong>You are</strong></strong><br/><ul><li><strong>A hands-on operator, with 5+ years of building Security & Trust programs.</strong> You've personally run security and compliance programs, ideally at a 50-300 person company. You've been the one configuring SSO, running access reviews, answering the SOC 2 auditor's questions.</li><li><strong>Technical enough to know how our systems work.</strong> You can reason about SSO/IAM configuration details, trace how customer data flows through third-party tools, and dig through logs (e.g., in Loki) to run down an incident yourself.</li><li><strong>Automation and efficiency minded.</strong> You'll happily grind through manual work when it's needed - screenshotting evidence, searching logs - but you refuse to still be doing it by hand a year later, so you automate it away with scripts, APIs, and AI.</li><li><strong>AI-positive.</strong> You see AI as something to help us adopt faster, not just a risk to manage. Your instinct is to find the safe path to yes and you can tell the difference between exposure and vibes.</li></ul><strong><strong>You will</strong></strong><br/><ul><li><strong>Run our GRC program - then automate it.</strong> Vanta day to day (controls, policies, alerts, evidence, vendor reviews), leading our SOC 2 Type 2 audits, annual risk assessments, and evaluating additional frameworks (ISO 27001, HIPAA). Wherever a recurring check, evidence pull, or list (like our GDPR subprocessors) can come from code or an API instead of by hand, make it so.</li><li><strong>Own how customer data moves through our stack.</strong> Audit what flows to third-party tools (and stop what shouldn't), and build a real process for deletion requests across our analytics stack.</li><li><strong>Be the security gate for new tools and vendors.</strong> Confirm SOC 2 status, get the DPA signed, add them in Vanta, update the subprocessor list - with a process that lets the team adopt new tools (AI especially) quickly and safely. Procurement and spend stay with finance/ops; the security and privacy review is yours.</li><li><strong>Make Close best-in-class at communicating trustworthiness.</strong> Own trust.close.com and our security/privacy/GDPR pages, and turn them into the place where customers' security questions can answer themselves.</li><li><strong>Coordinate product security audits.</strong> Run pen tests and audits of our product jointly with Engineering - vendor selection, scoping, and the artifacts we need for customers and partners (e.g., Google OAuth restricted scopes). Engineering fixes what's found; you make sure the audits happen and produce what we need.</li><li><strong>Investigate and clean up security incidents.</strong> When something looks off, you're the one who digs in to run it down and contain it - work that currently falls to Engineering by default.</li><li><strong>Own our identity and device security.</strong> SSO/IAM strategy and configuration, MDM across the fleet, the security side of onboarding/offboarding, and regular access reviews so no one keeps a key they shouldn't. You make the call on where we require SSO and what we'll pay for it.</li><li><strong>Run our employee security program.</strong> Training people actually remember, phishing simulations to keep us honest, and ongoing monitoring (e.g., 1Password Watchtower) with follow-through.</li></ul><strong><strong>What this role is not</strong></strong><br/><ul><li><strong>Product or application security engineering.</strong> You'll coordinate audits of our product and drive incident investigations, but you won't ship code to our product, own its architecture, or be responsible for implementing fixes - that belongs to our engineering org.</li><li><strong>Infrastructure.</strong> Our AWS and production infrastructure belong to our DevOps/SRE team. Where your work touches production, you drive the investigation; engineering implements what needs production access.</li><li><strong>Legal.</strong> Privacy policy, DPAs, and legal interpretation of GDPR/CCPA will sit with our legal function. You own the operational side and partner closely with them.</li><li><strong>Only IT support.</strong> You'll help with the occasional IT request - it comes with owning devices, identity, and tooling - but it's a small slice of the job, and you'll automate the routine parts. If helpdesk work is the whole of your background, this isn't the fit.</li></ul><strong><strong>Benefits</strong></strong><br/><ul><li>Compensation: Competitive pay plus an organization-wide goal-based bonus</li><li>Paid Time Off: ~5 weeks of PTO to start. Plus a 1-week all-company Winter Holiday Break and paid US holidays. You'll earn 2 extra days for every year you're with Close.</li><li>80% Work Option: Work with your manager to choose between a standard 5-day week or a 4-day week at 80% pay</li><li>Parental Leave: Paid leave for primary and secondary caregivers</li><li>Sabbatical: A 1-month paid sabbatical every 5 years with the team</li><li>Healthcare (US residents): Two medical plans with Close covering 99% of your premium, plus Dental, Vision, HSA, FSA, and company-paid Long-Term Disability</li><li>401k (US residents): We match your contributions up to 6%, vested immediately</li></ul></div>

Back to blog

Other Jobs To Apply

No other job posts for this day.